Previously confidential documents published today reveal the staggering extent of UK Government surveillance that has been kept secret from the public and Parliament for the last 15 years. Revealed in a case brought by Privacy International about the use of so-called ‘Bulk Personal Datasets’ and a law dating back to 1984, the extracts show that the UK Government’s intelligence services, GCHQ, MI5, and MI6, routinely requisition personal data from potentially thousands of public and private organisations. This includes data held by financial institutions and may also include anything from confidential NHS records to databases of people who have signed electronic petitions.

The term ‘Bulk Personal Datasets’ was first used in March last year in an Intelligence & Security Committee (ISC) Report. Even the ISC, the Parliamentary Committee that oversees the work of the intelligence agencies and has full security clearance, was unaware of the use of BPDs until recently. The papers released today act as proof of, and show the sheer scale of, British intelligence agency surveillance of our personal data. It goes far beyond monitoring our text messages, email messages, and social media posts. The intelligence agencies have secretly given themselves access to potentially any and all recorded information about us.

The Intelligence and Security Committee reported (paras 156, 158) that there are hundreds of millions of records which may be linked together. The datasets are likely to contain significant quantities of information about British citizens. None of the intelligence agencies have been able to provide statistics about the volume of personal information about British citizens included in the datasets.

The extent of abuses of personal sensitive data has also been revealed for the first time. In recent years only three cases of non-compliance or misuse resulted in staff being disciplined. It is not apparent that any victims have been notified.

The documents also describe the intelligence agencies’ use of Section 94 of The Telecommunications Act 1984 to access data in bulk. The Telecommunications Act is pre-internet legislation that was never intended to enable this level of intrusion in a digital age. Until November 2015 that use of Section 94 to require telecommunications companies to provide bulk access to communications data outside the protections of the RIPA (Regulation of Investigatory Powers Bill) regime was unknown.

Millie Graham Wood, Legal Officer at Privacy International said:

“The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data. This can be anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities. This data is integrated into databases that could be used to build detailed profiles about all of us. The agencies themselves admit that the majority of data collected relates to individuals who are not a threat to national security or suspected of a crime. This highly sensitive information about us is vulnerable to attack from hackers, foreign governments, and criminals. The agencies have been doing this for 15 years in secret and are now quietly trying to put these powers on the statute book for the first time, in the Investigatory Powers Bill, which is currently being debated in Parliament. These documents reveal a lack of openness and transparency with the public about these staggering powers and a failure to subject them to effective Parliamentary scrutiny.”